Migrate to networkd.

This commit is contained in:
Dmitry Voronin 2024-11-29 01:44:48 +03:00
parent bf728964af
commit c8494dc85b
5 changed files with 115 additions and 63 deletions

View file

@ -105,6 +105,24 @@ in {
}; };
}; };
}; };
systemd = {
services = {
forgejo = {
serviceConfig.PrivateNetwork = lib.mkForce false;
wantedBy = lib.mkForce [ ];
};
};
timers.fixsystemd = {
timerConfig = {
OnBootSec = 5;
Unit = "forgejo.service";
};
wantedBy = [
"timers.target"
];
};
};
}; };
}; };
}; };

View file

@ -47,7 +47,7 @@ in {
"data" "data"
]; ];
# HACK: When using `networking.interfaces.*` it breaks. This works tho. # HACK: I have no idea how to fully manage the container interface via networkd, so just add a route manually.
systemd.services.vpn-route = util.mkStaticSystemdService { systemd.services.vpn-route = util.mkStaticSystemdService {
enable = true; enable = true;
description = "Hack vpn routes on host"; description = "Hack vpn routes on host";
@ -55,9 +55,11 @@ in {
wants = [ "container@vpn.service" ]; wants = [ "container@vpn.service" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.iproute2}/bin/ip route add ${cfg.clients} via ${cfg.address} dev ve-vpn"; Type = "oneshot";
Type = "oneshot";
}; };
script = ''
${pkgs.iproute2}/bin/ip route add ${cfg.clients} via ${cfg.address} dev ve-vpn || true
'';
}; };
containers.vpn = container.mkContainer cfg { containers.vpn = container.mkContainer cfg {

View file

@ -1,8 +1,12 @@
{ ... }: { { ... }: {
container = { container = {
enable = true; enable = true;
autoStart = true; autoStart = true;
domain = "voronind.com";
host = "188.242.247.132";
interface = "enp8s0";
localAccess = "10.0.0.0/24";
storage = "/storage/hot/container";
module = { module = {
change.enable = true; change.enable = true;
cloud.enable = true; cloud.enable = true;
@ -32,12 +36,6 @@
watch.enable = true; watch.enable = true;
yt.enable = true; yt.enable = true;
}; };
domain = "voronind.com";
host = "188.242.247.132";
interface = "enp8s0";
localAccess = "10.0.0.0/24";
storage = "/storage/hot/container";
media = { media = {
anime = [ anime = [
"/storage/cold_1/anime" "/storage/cold_1/anime"

View file

@ -1,4 +1,4 @@
# 10.0.0.0/24 - wired clients. # 10.0.0.0/24 - wired clients (lan).
# 10.1.0.0/24 - containers. # 10.1.0.0/24 - containers.
# 10.1.1.0/24 - vpn clients. # 10.1.1.0/24 - vpn clients.
# 192.168.1.0/24 - 5G wireless clients. # 192.168.1.0/24 - 5G wireless clients.
@ -19,20 +19,82 @@ in {
# Disable SSH access from everywhere, configure access bellow. # Disable SSH access from everywhere, configure access bellow.
services.openssh.openFirewall = false; services.openssh.openFirewall = false;
# NOTE: Debugging.
systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug";
# Wan configuration.
systemd.network = {
networks = {
"10-${wan}" = {
matchConfig.Name = wan;
linkConfig.RequiredForOnline = "carrier";
dhcpV4Config = {
UseDNS = false;
UseRoutes = true;
ClientIdentifier = "mac";
};
dhcpV6Config = {
UseDNS = false;
};
networkConfig = {
DHCP = "yes";
DNS = "1.1.1.1";
IPv6AcceptRA = true;
};
};
"20-enp6s0f0" = {
matchConfig.Name = "enp6s0f0";
networkConfig.Bridge = lan;
linkConfig.RequiredForOnline = "enslaved";
};
"20-enp6s0f1" = {
matchConfig.Name = "enp6s0f1";
networkConfig.Bridge = lan;
linkConfig.RequiredForOnline = "enslaved";
};
"20-enp7s0f0" = {
matchConfig.Name = "enp7s0f0";
networkConfig.Bridge = lan;
linkConfig.RequiredForOnline = "enslaved";
};
"20-enp7s0f1" = {
matchConfig.Name = "enp7s0f1";
networkConfig.Bridge = lan;
linkConfig.RequiredForOnline = "enslaved";
};
"30-${lan}" = {
matchConfig.Name = lan;
bridgeConfig = {};
linkConfig.RequiredForOnline = "carrier";
address = [
"10.0.0.1/24"
];
routes = [
# Wifi 5G clients.
{ routeConfig = {
Gateway = wifi;
Destination = "192.168.1.0/24";
}; }
# Wifi 2G clients.
{ routeConfig = {
Gateway = wifi;
Destination = "192.168.2.0/24";
}; }
];
};
};
netdevs = {
"10-${lan}" = {
netdevConfig = {
Kind = "bridge";
Name = lan;
};
};
};
};
networking = { networking = {
# Use only external DNS.
networkmanager.insertNameservers = [
"1.1.1.1"
"8.8.8.8"
];
# Some extra hosts for local access.
extraHosts = with config.container.module; (util.trimTabs ''
${git.address} git.voronind.com
${proxy.address} iot.voronind.com
${proxy.address} pass.voronind.com
'');
firewall = { firewall = {
enable = true; enable = true;
allowPing = true; allowPing = true;
@ -105,41 +167,5 @@ in {
# SSH access from WAN. # SSH access from WAN.
# + (mkForward external 22143 config.container.host 22143 tcp) # + (mkForward external 22143 config.container.host 22143 tcp)
}; };
# Create Lan bridge.
bridges.${lan}.interfaces = [
"enp6s0f0"
"enp6s0f1"
"enp7s0f0"
"enp7s0f1"
];
interfaces = {
${lan}.ipv4 = {
# Assign Lan address and subnet.
addresses = [
{
address = internal;
prefixLength = 24;
}
];
# Assign traffic routes.
routes = [
# Wifi 5G clients.
{
address = "192.168.1.0";
prefixLength = 24;
via = wifi;
}
# Wifi 2.4G clients.
{
address = "192.168.2.0";
prefixLength = 24;
via = wifi;
}
];
};
};
}; };
} }

View file

@ -7,7 +7,15 @@
}; };
networking = { networking = {
networkmanager.enable = true;
dhcpcd.enable = false; dhcpcd.enable = false;
networkmanager = {
enable = true;
unmanaged = [
"bridge"
"ethernet"
"loopback"
"wireguard"
];
};
}; };
} }